social-platform-donut-backend icon indicating copy to clipboard operation
social-platform-donut-backend copied to clipboard

Published 20 hours ago verified publisher icon codeuino

Role based features

Open devesh-verma opened this issue 5 years ago • 7 comments

Description

In this issue, we want to build a mechanism where in we have two types of privileges: 1.User 2.Admin Where in user are allowed to do only certain tasks based on there privileges.

Example:

  • User cannot only edit organization level details where in an admin of that org has rights to do so.

Requirements

Resources

devesh-verma avatar Oct 22 '19 16:10 devesh-verma

How you are planning to implement this functionality? Can't we do this using one flag value in schema to switch between the role? @devesh-verma

Rupeshiya avatar Dec 22 '19 19:12 Rupeshiya

Hi @Rupeshiya @devesh-verma . Is this issue still active ? If so, can I take up this issue ?

harsh253 avatar Feb 24 '20 13:02 harsh253

I see as suggested by @Rupeshiya , isAdmin flag is being used. However, in addition to that, I wish to suggest a more flexible and extendable option that places a 'restrict' middleware before an API router as mentioned in this gist. This would accommodate any future role addition and add restrictions to routes without changing the api-endpoint's business logic.

aashaypalliwar avatar Jul 06 '20 06:07 aashaypalliwar

Hey @aashaypalliwar, I just checked the gist, so basically what you are doing is that making a middleware call to check is the user's role is admin or superAdmin but don't you think it will increase the no of calls, as it's getting executed on each admin routes? Your middleware adminRouter.use(protect, restrictTo('admin','superAdmin'));

Rupeshiya avatar Jul 06 '20 12:07 Rupeshiya

@Rupeshiya , No, it will not have any performance issue per se. Every user is bound to be authenticated using JWT (as is already being done in the project). Upon JWT verification, the user information is being stored in req.user . Every route that needs to be restricted to a particular role will be guarded by this middleware which simply checks the role indicated in the req.user object. The restrictTo middleware will be guarding appropriate groups of routes, thus preventing repetitive code in each of these routes' logic.

aashaypalliwar avatar Jul 06 '20 12:07 aashaypalliwar

@aashaypalliwar I am saying how middleware will check? after each calling that function right?? So basically it will call every time when any request will be sent to the backend, so will not increase the time of each request as that middleware function need some ms to execute??

Rupeshiya avatar Jul 06 '20 14:07 Rupeshiya

@Rupeshiya That's what the beauty of express router is! It won't happen. If you place these middleware in respective router say, for example userRouter, it wont be invoked unless the route /user/* is invoked. Basically, as you might be knowing, the express router is like a mini-app. Our main app would delegate the request to this router when the request begins with the router's parent endpoint ( /user in this case), otherwise it won't be invoked.

aashaypalliwar avatar Jul 06 '20 14:07 aashaypalliwar